The IT security room

Nowadays, there is a lot of talk about how business processes need to be optimised. This optimisation not only applies to all corporate processes but also - regardless of its size - to each company in general. In addition to efficiency in manufacturing and distribution, a particular focus of optimisation is the improvement and effectuation of IT structures. Today, information technology is a tool which is indispensable for one‘s global competitive standing. Companies which are not yet „online" cannot participate in globalisation.In addition to this, in many countries, IT systems have become an integral constituent of the corporate processes and are thus no longer a tool used in the success of a company, but are rather also a legally-binding element of the corporate purpose. Laws and ordinances, such as the law for control and transparency in the company sector (KonTraG), Basel II or the Sarbanes-Oxley Act almost entirely integrate the company‘s own IT structure into the main corporate processes. Since then, those persons responsible for IT see themselves as being exposed to extensive liability risks. The failure of their IT systems is regarded in many companies as being the worst catastrophe that could happen to them. Customer claims for damages, losses to productivity, the interruption of entire business processes, the negative impact on the corporate image and incalculable liability risks are only some of the possible IT system insecurities faced by companies and organisations. The need to act and set up more secure and accessible IT systems is thus a question of existential importance for companies. This means that a comprehensive analysis phase must be employed to determine weak points in IT structures in order to calculate the actual demand for IT security. The subsequent planning must take into account risk potentials from the data centre environment and, if necessary, procure additional protection. In a detailed plan, room allocations, transportation channels, room heights, cable laying routes, raised floor height and telecommunications systems must be established in advance to avoid a rude awakening at a later stage.

Comprehensive IT security - tailor-made to individual requirements!
If you view the issue of IT security in its entirety, then you will immediately recognise that it far exceeds purely logical and technical security. In addition to firewalls, virus blocking systems and storage concepts, the protection of IT structures against physical dangers is of immense importance. Regardless of the required protection class - from basic protection through to extended basic protection and high availability with the most minimal of failure tolerances - requirements based IT protection is needed. Individual solutions are required here, ones which are adapted to suit the corporate structures and not vice-versa. Economic IT security solutions are therefore modular so that they can flexibly respond to the situation. They are scalable so that they can grow in line with the company and are, above all, comprehensive so that precisely the required protection is provided once the corresponding danger has occurred. For this reason, it is important to be aware of what dangers could occur beforehand, for only then can a tailored security solution be implemented. The following indicates the risks which must be taken into account by the people responsible for IT during the planning stage.

Fire risk
Only approximately 20% of all fires ignite directly in the server room or in its direct proximity. Most fires - almost 80% - ignite outside of IT structures, which means that this risk needs to be looked at on two levels. Protection against fire which originates inside of the security room can be covered by early fire-detection systems (EFD systems), fire alarm and extinguishing systems. These systems can also be designed redundantly - so that false alarms can be avoided. EFD systems permanently extract air from the racks to be protected using active smoke extraction systems and even detect the smallest, entirely invisible smoke particles (response sensitivity of approx. 0.01% light scattering/m). Digital particle counters used in laser technology can also be applied here. Due to high air speeds in air-conditioned rooms, the smoke is greatly dispersed meaning that EFD systems must always have a sufficient level of detection sensibility. Using filters and intelligent signal processing algorithms, disturbances are kept away, or kept safely separate. Expert manufacturers also offer this equipment combined as fire-alarm and detection systems which can be used with ease and while saving space in 19" server racks.With non-poisonous extinguishing gases, fires are suffocated during the pyrolysis phase (fire ignition phase) with the result that any possible damage is ultimately as minor as possible and fire dispersion is prevented. The extinguishing gas takes effect at a disproportionate speed to foam, powder or water and does not cause any damage or leave any residue. In modern systems, the gas cartridges can be even replaced and activated without the need for a service engineer. In addition to FM- 200, noble gas (e.g., argon), nitrogen, Inergen or carbon dioxide are used as gases which suffocate the fire through oxygen removal. In addition, there are also extinguishing gases which extinguish the fire by absorbing heat, such as the new NovecTM 1230, for example. Its advantage lies in the fact that only a lower volume of it is required to extinguish the fire. In addition to the use of extinguishing gases, the oxygen level can also be reduced (inertization) parallel to this in rooms with a fire risk (data centres). Using an air decomposition system, the air in the room is split up into its individual constituents and the oxygen concentration reduced to around 15 vol.-%. This way, fires can be prevented right from the very beginning. This reduction in oxygen does not mean that people cannot enter the data centre as it is principally non-hazardous to the human organism. Both EFD and fire-alarm and extinguishing systems are now available from leading manufacturers in space-saving and easy-to install 1 HU technology meaning that good protection no longer has to depend on the amount of space available. But, how can those systems which are critical to the company as a whole be protected against external fire sources? Here are several factors to be taken into consideration. The security room must firstly be fireproof, not just protected against fire. This means it must offer elementary protection against the flames. Once this protection has been guaranteed, care must also be taken to ensure that the room temperature and air humidity in the server room do not increase to a level which will affect the sensitive equipment. Here, it is absolutely essential that the upper limits stipulated in the EN 1047-2 standard be observed. Fire protection lasting 180 minutes (3 hours) and the observance of a maximum temperature of 70°C and 85% air humidity for 60 minutes are currently viewed as being the recognised benchmark in the field of modular security rooms. This can only be guaranteed by a security room solution which has been tested and certified by the independent European Certification Board - Security Systems (ECB•S) with additional, extended fire testing.

Water risk
A danger which is frequently not taken into adequate consideration for IT systems is water. And this danger does not only come in the form of pipe leaks or floods, but is often the result of the afore-mentioned fire threat: due to fire extinguishing water. On many occasions, the primary damage caused by the fire is far less severe than the damage caused by the water used to extinguish the fire. This means that IT rooms need to be water-tight during the time when the fire is being fought and must be able to withstand stagnant water - as is the case during a flood, for example. The water-tightness should be proven to comply with EN 60529 and should be independently certified. Protection against stagnant water over a period of 72 hours is currently the state of technology required by high-availability systems. The latest developments allow data centres to be equipped with wireless sensors which can detect a leak at an early stage and then provide both the relative warning signals and also, if required, automatically close the doors to the server room. This becomes particularly important when highlyefficient liquid cooling systems are used for racks. Another field of application is leakage detection outside or above security rooms - which allow the system operator to be in a position to initiate targeted countermeasures as early as possible should water escape.

Smoke risk
Even if the fire is not raging in the immediate vicinity of the data centre, there is still a risk of the IT structures becoming severely damaged. Particularly if plastics such as PVC or similar materials are burnt, poisonous and, above all, corrosive smoke gases are created. Should a fire occur, 1 kilogram of PVC will emit approx. 360 litres of hydrochloric acid gas and produce up to 4,500 cubic metres of smoke gas. These will destroy IT structures in the shortest possible time and considerably reduce the so-called „mean time between failure" (MTBF). The MTBF refers to the average, non-calculable time which elapses until the unplanned failure of hardware components occurs. Reliable protection can only be provided here by hermetically-sealed server rooms which can withstand these dangerous gases and thus completely protect its valuable content against any threat. Tested smoke gas resistance in accordance with the EN 18095 standard is essential for survival here. In Germany, the level of water and gas resistance is described using the IP quality class. A data centre should have protection to IP 56 level.

Power supply risk
Even the best technology used in a company‘s IT system will experience problems if there is a power failure. As the power blackouts which occurred last year show, this still poses a real danger for data centres in Europe today, a danger which needs to be met face on. Systems used for providing an interruptible power supply, so-called UPS systems, jump in once the power network has broken down. Modern UPS systems (online systems) operate continually and supply the consumer via their power circuits. This means that the brief, yet dangerous, change-over procedure can be omitted. The UPS system then reliably overrides the time needed until the power is available once again. Thanks to integrated batteries, modern UPS systems can also continue operating if the power should fail for a slightly longer period. UPS systems are classified in accordance with EN 50091-3 and EN 62040-3 VFI. For reliable breakdown protection, equipment used in data centres should fulfil the highest quality class 1 VFI-SS-111. .When it comes to UPS systems, a differentiation is normally made between single and multi-phase 19" plug-in systems and floor-mounted appliances with a range of performances. The units provide perfect sinus voltage and optimally balance out voltage peaks or „interference". Particularly user-friendly systems can be extended as required and can be retrofitted while the system is still in operation. If, however, the power supply system is to remain offline for several hours, then even the best batteries will no longer be of any help. In such cases, so-called emergency power systems are required. These are completely self-sufficient systems which independently generate the power needed to keep the data centre „alive" and recharge the batteries in the UPS system. In the most cases, the units are diesel engines which start up during a power failure, already during the time when the power is being supplied by the UPS equipment. New research points out that these diesel engines may be driven in the future using fuels which are gentle on resources, such as vegetable oil, for example - in a similar way as in combined heat and power plants. This way, the units can continuously generate power in an environmentally- friendly manner without additional CO2 emissions, power which could then be sold at a profit if it is not required to operate the data centre. Fuel cells will also become more and more important in the future for operating emergency power systems. Fuel cells reduce the total cost of ownership (TCO) and have clear advantages when compared to battery-buffered back-up systems as regards service life, temperature fluctuations and back-up times. In addition, fuel cells are extremely environmentally-friendly thanks to the creation of pure water as a reaction product.

Air-conditioning risk
Modern Blade server technologies or Mainframe environments which can be continually upgraded are available to increase the data centre´s capability. Thus, the primary task of air-conditioning solutions is to discharge the heat emitted within the computer systems. However, in such cases, it is important to also consider that, with each increase in a data centre‘s performance, the demands on the cooling performance of the airconditioning systems used shall also increase. In thermal load cases measuring a maximum 800 W/m2 in the server room, air conditioners which are suspended from the ceiling or are wall-mounted can be used. On the other hand, floor-mounted air conditioning systems which blow the air downwards into the raised floor are used where there are high thermal loads exceeding 800 W/m2. Air-conditioning systems can essentially be positioned inside or outside a data centre. If used inside of a data centre, the air-conditioning systems are particularly suitable for rack-based cooling, to target hot spots inside the server room. The operating costs are reduced and the noise produced remains inside the room. In addition, the units are protected against unauthorised access and the protection room wall is not weakened through additional openings, such as the ventilation slide, if the air conditioners are positioned outside of the room, there is no need for maintenance personnel to enter the room. Furthermore, no additional space is used up in the data centre and the fire load is not further increased by the air-conditioning system. It is also generally possible to supply fresh air without a great deal of effort. For cost reasons, a sure 100% redundancy in accordance with Tier III (see Uptime Institute USA) should only be provided in most cases for wall and ceiling-mounted units with a rather low cooling capacity. If higher capacities are required, meaning floor-mounted air conditioning units are installed, „n+1 redundancy" (Tier II) is provided, i.e., a particular number of units operates continuously and an additional unit acts as a reserve (is redundant). If the humidity range of 30-68% (relative humidity) stipulated in VDI guideline 2054 is to be observed regardless of the outside conditions, the air conditioners should contain both air humidifiers and dehumidifiers. A safe bet is to choose a system which has been certified by Eurovent (lobby of European manufacturers of air ventilation and conditioning systems. To cool hot spots within data centres, the use of so-called liquid cooling packages is also imaginable. These extract the emitted warm air along the entire length of the cabinet with the aid of redundant and highperformance fans and discharge it via an air and water heat exchanger to a cold water network or a cooler.

Dust risk
Dust is a natural enemy of sensitive IT systems and should be completely banned from a secure data centre. The fine dust particles sometimes reduce the service life of fans and other electronic components considerably. Maintenance work and those performing it often create so much dust that they should be kept away from a secure data centre at all costs. An intelligent IT room protection system should always be set up with a dust-free concept. Even during conversions and retrofits, importance should be placed on the work being performed without the introduction of dust. In any case, dust resistance in accordance with the regulations stated in EN 60529, IP 56 with ref. number 1 (see risk water) should be requested if unpleasant surprises are to be avoided at a later stage.

Unauthorised access risk.
A server room or data centre are among the most sensitive areas in a company. It is extremely important that only authorised persons gain access and that this access be carefully documented. For a study carried out by the International Computer Security Association (ICSA) showed that internal attacks on IT systems occur much more frequently than external ones. The data centre protection must therefore, on the one hand, satisfy the demands on protection against unauthorised access, sabotage and espionage and, on the other, make allowance for the fact that certain persons may only be able to enter particular areas of the server room to perform precisely defined tasks there. Break-in protection according to EN 1627, with resistance class III (WKIII) can be achieved without a great deal of effort. These procedures must be monitored and also recorded if the corresponding Lampertz documentation and logging regulations are to be complied with. If possible, the air-conditioning and electrical engineering equipment can be physically separated from the actual servers so that these devices can be serviced from the outside. For access surveillance purposes, both biometric and conventional access surveillance solutions, or a combination of both, can be supplied.
Bio-systems in combination with magnetic card scanners increase the safety level distinctly. In any case, the access surveillance system must be adapted to precisely suit the specifications for the respective use. The highest level of security is guaranteed by the new vein recognition technology. The crucial advantage is made apparent, above all, through the high level of precision offered by a false acceptance rate of below 0.00008 % and a false rejection rate of only 0.01 %. Furthermore, it is extremely hygienic to handle, as its operation does not require any direct contact with the unit. Using video surveillance systems with image sensors with CCD or CMOS technology, up to 1,000 cameras can be managed (regardless of the manufacturer), based on the requirement profile and using corresponding software. The camera systems thus provide transparency, surveillance and reliability in the data centres.With sophisticated video management, modern surveillance systems are capable of managing and recording alarm conditions. If the images are to be suitable for providing proof and analysis, an intelligent system must keep the corresponding interfaces and processing possibilities at the ready.

Explosion risk
The risk of terrorist attacks or other disasters which could trigger explosions must be taken into consideration when planning a high-availability security room concept right from the beginning. Modern, certified server rooms must be subjected to an explosion test in accordance with the SEAP standard. Highly-secure, modular server rooms are set up in wall panels so that they are pressure-resilient and can withstand major explosions, thus protecting the valuable IT systems against irreparable damage. IT systems must also be protected against debris and vandalism if real „all-round protection" is to be guaranteed.

Intelligent cable management
Power and data cabling already require intensive planning from the very beginning and the location where the cabling is to be later laid must also be documented if the concept or the demands are to be implemented quickly. The cabling must also be laid sensibly on cable trays or in cable ducts. The raised floor is often used for the laying of cables meaning that maintenance work can be performed without the need for any constructional work in the server room itself. However, cable ducts are often weak points in the system. Ducts must be able to satisfy all safety requirements with regard to fire, gas and water protection in the same way as the walls, ceilings and doors - while also being flexible enough to be able to permit retrofits and modifications to the cable laying process to be performed quickly and efficiently. Here, attention should be paid to choosing systems with the correct level of certification.

Future viability
The long-term planning of IT structures at a time in which the briefest of product lifecycles and continually growing demands on IT systems prevail is becoming more and more complicated for many companies. Future developments need to be included during the data centre planning stage. Will the data centre become larger or smaller in the future? Will the location possibly change and how can an existing data centre be successfully protected while it is still in operation?Are there also ways to install the data centre outside of the company grounds or to perform a complete relocation without having to expensively tear down important elements? A competent partner in the data centre construction sector accompanies the customer through the project right from the beginning and does not leave him on his own once the room has been completed, but rather supports the company in the long term.

Flexibility / scalability
If data centre operators are to be guaranteed high flexibility with additional investment security, they must be able to pick out the suppliers of secure data centres based on valid criteria. Important here are certificates awarded by independent test organisations such as, for example, the ECB•S, TÜV-IT or the Federal Office for Security in Information Technology (BSI). The external checking of the construction work during and after the construction phase also plays an important role. Nowadays, scalable solutions are indispensable when it comes to the efficient utilisation of data centre infrastructures. Only those suppliers who can fulfil this important requirement may be included in the planning process. The well thought-out use of existing building or office space can minimise the risk of a total system failure through the installation of data centre units. If existing building or office space is used intelligently, a new build should not be required each time. Modular security room technologies also allow secure server rooms to be installed in decentralised locations. Their modularity allows them to be integrated easily and economically into existing structures and they can, if required, be extended or modified extremely easily, or can even be relocated. Thanks to a room structure which is adapted to his needs and demands, the user may also reap the benefit of huge savings. In many cases, security rooms can also be rehired or leased so that even shortterm extensions can be achieved with relative simplicity.

Secure yet fast - how is this possible?
If a situation is dealt with properly, then it sometimes takes quite a bit longer to sort out. Experience has proven this to be true. However, it does not need to be the case. If a competent partner supports the company in the planning and implementation of a secure data centre right from the beginning, it is possible to save not only hard cash, but also valuable time. No time is lost through drawn-out decision-making processes including different trade sectors -this is what „security from a single source" really means. With only one contact, a lot of things can be processed both quicker and easier than is the case with a number of different contacts. Companies can concentrate on their daily business activities while, in the background, the data centre is being „secured". In the implementation phase, the IT specialist observes the customer-specific business hours and co-ordinates the different trade areas correspondingly. The customer is provided with comprehensive support during both the planning and the execution of the project, for the entire duration of the project right up to the turnkey handing-over of the equipment. During the design planning stage, information taken from the specification sheet is made more precise through the acquisition of the necessary details. Here, however, the security room manufacturer‘s many years of experience are put to use thus allowing the avoidance of faults and a greater level of efficiency. In addition to managing and surveying the building site, well-conceived project controlling always guarantees cost transparency and prevents unpleasant surprises at the transfer stage. State projects contracted by the Federal and individual state governments can also be accompanied by an additional limitation. Nondisclosure protection. Not all building projects are public, but may not be accessible to all suppliers for certain, comprehensible reasons. This way, authorities such as ministries, the Federal Office for the Protection of the Constitution, the Federal Criminal Offices or even the intelligence services do not publicly call for tenders indicating their demands on the
data centre and planning work, but rather only work with security-checked and thus trustworthy companies and their employees. This „officially established" security can also be one of the reasons why private enterprises (banks, insurance companies, high-tech companies etc.) may choose a particular company for a project or contract to build a data centre.

Expertise from the very beginning
To achieve a comprehensive evaluation of the situation on site, firstly the actual status is recorded and the structural conditions are examined. The detailed planning suggestion which then follows contains a complete advice package, the basis for planning security and cost control. Experienced and expert project managers know just how IT structures can best be secured. It is important to provide comprehensive advice and support throughout the entire process so that the data centre security can be implemented efficiently and quickly and, above all, without having to interfere in the company‘s course of business. Advice can only be provided from a holistic viewpoint. Advice which takes into account the entire corporate structure must always follow a holistic approach. Comprehensive risk analysis in collaboration with the recording and neutral evaluation of the structural conditions at the relevant locations must be a matter of course. The entire professional planning and its transfer to a specification sheet are an integral constituent of a quotation. This way, each company can achieve its own optimum solution for the construction of a data centre which protected to the required level.

Service you can rely on
Regardless of the size of the company in question, the importance of IT-system availability is continually on the increase. For this reason, a reliable service is also required once the secure data centre has been completed. The gap-free, documented maintenance and examination of the data centre structures in established intervals is a service which is indispensable nowadays, yet one which is frequently neglected. For this reason, a long-term service concept must be developed, one which stays abreast of current market developments and does not just act once the worst case scenario has already taken place. A complete inability to act due to an IT system failure is a scenario which companies can nowadays no longer afford to experience. Only a service solution concept which is individually adapted, and can be sustained in the long term will make a data centre secure all round. For each component, such as the room itself, the air conditioners, the fire-alarm and early fire detection systems, the UPS systems and emergency power systems, the cable ducts, the surveillance and access monitoring systems, the maintenance, service and warrantee must be covered in an „all-round carefree package" which takes into account the physical and power environment of the IT structures. A large number of services is available depending on your targets. Whether you require complete technical service with 24 hour availability and monitoring for all units or any other conceivable solution, this solution is worked out and clarified individually for each company.

Remote surveillance and control
Using special remote surveillance tools, all of the functions of the security room can be monitored and even controlled externally. If an alarm is raised, a preset alarm routine is executed without a time delay. This alarm can comprise an optical or acoustic signal, or be distributed via a corresponding interface as a message to the administrator or a defined „emergency call centre" Furthermore, these tools are also used to control the extinguishing system and additional measures can be triggered in accordance with the alarm sequence plan. Via novel rack doors with colour displays, the statuses of the respective systems can also be optically displayed in the future, allowing the status of the systems to be easily viewed, e.g., via a webcam.

Lowering insurance premiums throughratings
If you can prove that a data centre or server room is secured through adequate measures, insurance companies and credit institutes will often downgrade your risk potential. This way,insurance premiums can be effectively reduced.Here, independent testing and certification should be provided for the safety elements in use. Credit institutes and auditing firms also have an obligation to check and assess companies to establish the level of their IT structure security. Thus, with a secure IT environment, proof of morepositive assessments can also be provided here. In some cases, they can have an immediate impact on credit ratings and provide those companies which have a certified data centre with more financial leeway.

Conclusion
If you want to set up a secure, and possibly also a high-availability data centre nowadays, then you will need a strong partner who can offer and then provide the best possible all-round support from the planning stage right through to the implementation and turnkey hand-over stages. Only this way, can you be entirely sure that all of the indicated risks and influencing factors have been taken into consideration and that your IT structures will be protected in accordance with your conditions and budgetary limits. Only those suppliers which undergo neutral certification tests and apply system-tested solutions can achieve comprehensive IT protection and guarantee malfunction-free business continuity - providing: security at its best.